I have been reading thomas wilhelms book pro pen testing and i have been reading some other resoirces from his site as well. Here is a question i have. I have noticed that every lab scenero from countless tutorials have you always preform a nmap scan to see what hosts are on the network that could be potentual placers for hackers. Such as open ports i assume. Thats fine but i noticed its all private side scanning. What if a hacker is from a remote location and has to go through public ip. He or they would have to gain inside private access first then do scans. So it seems pointless to me to do pen testing from private side cuz that assumes the hacker has gotten in apready. Can you scan a public ip for open ports? Thanks guys

Of course you can scan public IPs for open ports. If a site allows you to SSH in, or serves web pages, or web applications, then there's a port open somewhere. If you want to play around with scanning a public IP, scanme.nmap.org is designed for testing nmap.

Ok, so why are all the tutorials out there about hacking from the private side? I dont understand that. IE, the de ice challange lvl 1, you scan and enumerate from the private side as if you had already gained access. But i thought the whole point of pen test training is to show how to gain access, but if you are attacking from the private side, then that assumes you already have gained access. Are you supposed to sorta"pretend" that the web server on de ice or any other challenge has a "public" ip and your just using a private ip as your fake/unreal public?

thanks. I hope this is not confusing. Im just trying to make sense of it all. I am totally new to this whole hacking thing. I mean i need someone to hold my hand for levle one because i have no idea where to start or why. Even watching movies does not help because it does not explain why they chose to do that.

When working in a lab, try to ignore that your machines (and the publicly provided targets like De-ICE) are using rfc1918 address space. This is merely for convenience, if you needed public hosting and IP space for a test environment the costs would skyrocket. And it's obviously not sensible to host vulnerable systems on public facing networks.

Using De-ICE as an example, the server is built as a (poorly protected) public facing system. It's not uncommon for public systems to have the same ports and services exposed to the wider world, rather than locking down administrative ports for example.

There's nothing stopping you from setting up De-ICE or any other vulnerable machine as a publicly facing external server. The issue is that you'll be facing attacks and scans from other people who happen to come across your server.

This is a good question and one that I struggled with in my early stages. The best way to think of it is to believe that you have established a foothold on the local LAN, and now you are scanning for additional targets. If you want a more realistic setup, you could build a backdoor, send it to yourself in a email (using SET), compromise your internal LAN, then scan and hack from a public location.

The truth is, most hacking these days isnt external, its occurring on the LAN, or against a web front-end.

Seph makes a valid point. Even when it comes to advanced attacks, most of them have been done using a phishing email that gets them access to the victim's machine. From there they attept lateral movement through the network until they can gain access to an elevated account which can be used to lay in some backdoors for future use. Now if the victim network has proper controls in place (egress filtering, network ACLs, a monitored SIEM etc...) then this may make internal movement/compromise more difficult. Its tough to create an outbound reverse TCP shell if all ports are being filtered/blocked. Unfortunately not all orgs do this and even filtered ports can be used if you can compromise the external host they are going to.

If you wanted to setup a lab to simulate attacking from outside, you can always aquire a low end firewall and put that in front of the victim hosts. Attempt to attack directly or create some SET or metasploit payloads you can apply to the internals.

AWESOME. ok. so i was somewhat right about just pretend they are public facing ip's. I was just making sure. It was really confusing me.

Im still trying to remember everything i learned from 5 years ago in my ccna and ccnp classes. i never used the info so its kind of dusty. haha.

as for my lab, my ultimate would be to have an online lab that is virtual(vmware) and have some virtual cisco and firewall products in it. But that will be after i know what i am doing. haha. As of right now, i would love to have a vpn set up and run rdc over it to run my labs or some sort of online lab for this.

My next question i need some light on is ssh. I know its a secure shell. I think of it like a type of vpn. it logs me into the system/network from a remote location. so sorta like the early stages of rdc. My question is this. once i have ssh'd from my ubuntu 11.10 laptop into a remote machine running backtrack5, i can issue backtrack commands that would be unfamiliar to ubuntu 11.10 if i were not in a ssh session right? IE, i can type metasploit and it will run the program because i have ssh'd into the BT5 machine right?

Here is what my ultimate virtual lab would be. basically the hacking dojo has somehow read my mind and created it. haha.

But for now, i need to learn how to set up a basic vpn that is easy to use and understand. i have no firewall. just a basic centry link router. I think hamachi or open vpn might be best.

thnaks for the help so far. Im not sure where to post my other questions. I have no idea what i am doing when it comes to security. i have tried the last couple of years but i end up just stopping because i have no help or idea. I would love to find a full tutorial that explains how to complete de-ice lvl1 and why they chose that path and why it is important. I really do need my hand held. haha cuz i have no idea what im doing. haha

I'm surprised nobody has actually mentioned this. Not to be snide, but if you're having those kinds of questions about IP address classes and you're on step number nmap in your learning, I'd say you need to stop now, and go read a good networking fundamentals book. You are going to be totally lost as you work through the technical details of pen testing, if you don't know the fundies, you'll never be good at it.

Good point Rance. LT, what is your current base of experience? Have you been working in IT? Do you have a programming or systems background? The way to succeed in this industry is to build up the base. Many of us have worked in IT for years doing one thing or another. Knowing some network and system fundamentals helps a good deal. I did notice you mentioned some Cisco books, did you get either of the certs or just picked up the books to get an idea of the material?

3xban wrote:Good point Rance. LT, what is your current base of experience? Have you been working in IT? Do you have a programming or systems background? The way to succeed in this industry is to build up the base. Many of us have worked in IT for years doing one thing or another. Knowing some network and system fundamentals helps a good deal. I did notice you mentioned some Cisco books, did you get either of the certs or just picked up the books to get an idea of the material?

I have a degree in net engineering along with a CCNA and the routing part of my CCNP. I also have my RHCT. BUT that was 5 years ago and i have never had a job that uses it. I have had IT jobs and was department head BUT our network was sourced out before i got there. Prez said no touchy so i handled the lower end stuff. But i did work for IBM and i installed the back bone for the EBAY HQ in my area. But after that i switched to Mechanical Engineering because that had the career options i wanted. Hard to explain. haha.

The IP addressing is not hard for me to do. I can supernet and subnet address space for route propagation and ACLS in cisco routers just fine. Supernetting is my favorite especially when you used wild card masks for the Control lists haha What was confusing me was why all the attacks were private side. I was getting the impression from the material that access had already been gained and know you were just trying to enumerate more info. It was confusing me because i thought the material was supposed to teach how to gain access in order to know how to protect. I was not under the impression that such a unsecure server could exist, but then again, this is levle one material and they have to present it somehow for the basics. haha.

lol. BUT it has been 4 or 5 years since i have used my CCNP knowledge. My friend is Todd Lammle and his ghost writer and editor was my professor(the book was not the professor, haha. It was a real person:)). It was kind of cool.

Now, i will say this. Just because i was excellent at supernetting and configuring routers, does not mean i am good at security. I know how ICMP,TCP and other protocols work pretty well, but that does not mean i know how to manipulate them. I could never figure that part out. haha. Understanding things how they worked normally was easy for me, but to understand how to manipulate them or troubleshoot because they are not working so well, that was the hard part.

This is why i am wanting to complete the heorot courses. I feel that as an mechanical engineer, this can and will help my problem solving skills and a sense of accomplishment. haha. I never know if in the future, i will be called to the office because the IT team needs some help. So i do like to review concepts every so often. BUT security is something i have never done. I mean its easy to follow a firewall tutorial to protect your house or company, but if you dont know why its doing what it is doing, well then. haha and thats why i am here. to learn security. haha.

That was a LONG winded reply but i wanted to make sure i expressed my unawareness of security but also let you know that i have some excellent exp in networking.

you guys are awesome and i trust you all. thanks much.

Last edited by LT72884 on Wed Jul 25, 2012 12:11 pm, edited 1 time in total.

ok so you can get the "fundies" as Rance put it. Just wanted to check. Yes the security mindset is definitely a different thought process. You need to take yourself out of the shoes of an engineer who builds something to work and reverse that to look at how it shouldn't work or where you can break it. As we said, the private IP range is just easier to setup in a simple lab. But by all means, build this out more complex, not only will you exercise your old skills but you will make a more realistic lab. You can still do this with private IP addressing, just use a different private range for your "WAN" side. Get a router or low end firewall and put that in front of the lab machine. If you can get a hold of a box to run ESXi on and toss a bunch of VMs on it. Including the De-ICE systems.

As for the De-ICE systems remember you are doing more than scanning for ports. Here's a hint (though you probably found it), there is a webpage available on the first one. This gives you a taste of doing recon and building some intel on the victim. That is the first part. The next part involves using that information.

In pen testing, the more time you spend on building a portfolio of the client/victim, the more information you will have to use during the test. This is especially important if you need to use social engineering to obtain more information that may not be publicly available.

Another item to note, if you really want to get in the mindset, try to hook up with the local community. One of the best things I ever did was attend a BSides event. They are great for meeting some cool people who don't mind sharing what they know.

Thanks for the awesome reply my friend. I didnt meant ot make the post soooo long winded, but i had to defend my honor of having a bachelors in network engineering that i NEVER use. I can totally see why you guys asked though.

Ok first things frist, you all are gonna laugh at me. So about 2 or 3 years ago i purchased thomas willhelms book " professional penetration testing" didnt read much and didnt check out the dvd. It was during a rough time in school and life so things got put on back burner. So last night i finally got a chance to watch the Heorot Penetration Testing Fundimentals course videos. The dvd comes with the full course for the issaf including lecture notes, videos and live cd's. except hackerdemia must be out of date because all the lessons on it go to a page under construction... so the tutorial on hydra is not there. oh well.

Here where i need to look at things backwards and i may need some help. I watched the video on the dvd where he scans using differnt techniques. He shows that port 80 is open and then goes to the webpage. What is so important about port scanning besides the fact that it shows what types of services are running?

To tell you the truth, sarcastically i thought to my self" yeah so whats the big deal that port 80 is open or 21. So they have a web server up. who doesnt" ok thats what i need some correction on. the importance of open ports. You cant do much if you do not have a password.. which i assume is part of the challange BUT the tutorial on the live cd of hackerdemia does not exist so im stuck at the moment. haha. maybe the vids show me what to do in a sense.

Ok, i also noticed on the webpage that it says pictures comming soon of the picnic and to send flowers and cards to a specific place. are finding the pictures and finding where the cards are going any part of the challange?

ok thanks guys. i know i have alot to say but im practicing to document everything so i can get a cert and also use the technical report for my engineering writing class.